Closing the CVE gap: Is MITRE up to it?
It would be hard to dispute that the CVE (Common Vulnerabilities and Exposures) program is a great concept: a “dictionary” of all known vulnerabilities in publicly released software or firmware so organizations can know what risks they are facing. (See “What is the CVE and how does it work?”.) There is much dispute, however, 18 years after the nonprofit research and development organization MITRE launched the program, about how well it is working.
According to a number of critics, it’s not doing very well. Joshua Corman, a founder of I Am The Cavalry and director of the Cyber Statecraft Initiative for the Atlantic Council, said in a keynote at the SOURCE Boston conference in April that identifying and cataloging CVEs has fallen behind – way behind.